[German]It's a story that came to my attention recently, though the behavior may be familiar to many administrators. An administrator had purchased a refurbished machine and then re-installed it with Windows 10 Pro. But even as it was being reinstalled, the machine was prompting the user to log into Azure, with a Klarna Bank AB account …
Advertising
New Windows 10 Pro install requires Azure login
The case came to my attention by chance in February 2023 at the colleagues of German administrator.de, so I decided to cover it within my blogs. The person concerned described the problem as follows.
Windows 10 requires login to Azure after new installation
Hello,
I have here a used Intel NUC that shows a strange behavior.
I wanted to reinstall it with Windows 10, but after installation it prompts for a login for Klarna Bank AB Azure.
So once entered own product key, same game, then ne other SSD pure, same game. BIOS reset as well as the prompt after installation.
I also can not install without network. Does anyone have an idea what function can cause this?
At this point I was a bit perplexed – the reference to Klarna Bank AB shows that there must be something left on this machine from the previous owner, Klarna Bank AB. It can't be in the installation image, because the affected person used his own ISO image. I remembered the German blog post Backdoor 'Windows Platform Binary Table' (WPBT) from 2015 – but that is usually OEM-related and seemed unlikely to me.
Blame OOBE check and Auto Pilot/Intune
An other administrator was then able to help the affected person with an explanation for this behavior. The above effect has been occurring since Microsoft started performing additional online checks during the setup in the OOBE phase for Windows 10/11. The user Cloudrakete wrote the following about this:
The client as such is clean.
Windows 10 / 11 from the Pro variant, however, always run (no matter where purchased) an OOBE (out of the box experience).
If the client is connected to the Internet during installation, it is checked whether someone has previously read its HW IDs and stored them in its Intune if necessary.These IDs are device specific and do not change with a new Windows installation. Apparently the Klarna Bank admin forgot to delete the HW-ID from his Intune and the OOBE, which scans every tenant in the world and searches for his ID, found it.
If you had valid credentials, and this user had also received appropriate assignments, the OOBE would start Intune onboarding via autopilot and roll out assigned policies and software to the device.
If you want to be nice, you can contact Klarna Bank and have the device removed from their Intune. Of course you need the HW ID: Manually register devices with Windows Autopilot.
Hm, if somebody facing this situation and manage to crack the credentials, he will be able to log in as "a trusted source" into the Azure AD of this organisation – just to mention. Via Facebook I received an interesting explanation from Andreas E.
This is normal, when the refurbisher does not reset the UEFI correctly (offline, refuses to create a local account), or forgets to delete the device from the autopilot (online, customized OOBE).
The idea is that the users who use such a device at home unattended will not accidentally create a local account but will be "forced" to go through the autopilot process.
The Autopilot process does not scan every Intune, Autopilot is a separate service that belongs to Windows Pro. If the device is registered in Autopilot, it downloads the JSON file assigned to the device which adjusts the OOBE and starts the enrollment process to Azure and Intune or another MDM.
Sometimes it can happen that the device locally (certain path) has such a JSON file lying around. If Windows finds the file there, it skips the online search and Autopilot starts even though the device is not registered. In this case you have to delete the file manually or reinstall Windows.
Andreas suspects that Microsoft could think about changing something in future, since many refurbishers are unfortunately unteachable here.
Advertising
Some information can be found at Microsoft in the articles Automatic Intune enrollment via Azure AD join and Demonstrate Autopilot deployment.
Were you generally aware of this? Kind of makes sense, but I feel like this Windows Eco system is getting more complex and administrators are increasingly losing control of where what is stored.
Advertising